-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add optional PodDisruptionBudget to the Helm chart #383
Conversation
Signed-off-by: Richard Wall <richard.wall@venafi.com>
Signed-off-by: Richard Wall <richard.wall@venafi.com>
Signed-off-by: Richard Wall <richard.wall@venafi.com>
{{- if .maxUnavailable -}} | ||
maxUnavailable: {{ .maxUnavailable }} | ||
{{- end -}} | ||
{{- end -}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Example output of the validation in this new helper.
$ helm upgrade --install -n venafi approver-policy _bin/scratch/image/cert-manager-approver-policy-v0.13.0-alpha.0-12-g075790a76f86b9-dirty.tgz --set podDisruptionBudget.enabled=true --set podDisruptionBudget.minAvailable=1 --set podDisruptionBudget.maxUnavailable=1 --set image.tag=v0.12.1
Error: UPGRADE FAILED: execution error at (cert-manager-approver-policy/templates/poddisruptionbudget.yaml:10:6): Cannot set both .minAvailable and .maxUnavailable
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Auto generated by make generate-helm-schema
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Auto generated by make generate-helm-docs
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added this NOTES file to give some warning to the user. Inspired by something @inteon added to venafi-enhanced-issuer.
/retest Possible flakey test
|
/hold while I test that this actually works on a multi-node cluster. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
My expectation for this is that it would copy https://github.com/cert-manager/cert-manager/blob/master/deploy/charts/cert-manager/templates/poddisruptionbudget.yaml but this looks better - thanks!
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: SgtCoDFish The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Demonstration of PodDisruptionBudget preventing disruption of the approver-policy service
# kind.config.yaml
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
- role: worker
- role: worker kind create cluster --config kind.config.yaml
kubectl label node kind-worker node-restriction.kubernetes.io/reserved-for=platform
kubectl taint node kind-worker node-restriction.kubernetes.io/reserved-for=platform:NoExecute
# values.yaml
image:
tag: v0.12.1
replicaCount: 2
podDisruptionBudget:
enabled: true
app:
webhook:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-restriction.kubernetes.io/reserved-for
operator: In
values:
- platform
tolerations:
- key: node-restriction.kubernetes.io/reserved-for
operator: Equal
value: platform kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.3/cert-manager.crds.yaml
helm upgrade approver-policy _bin/scratch/image/cert-manager-approver-policy-v0.13.0-alpha.0-12-g075790a76f86b9-dirty.tgz --install --create-namespace --namespace venafi --values values.yaml
kubectl label node kind-worker2 node-restriction.kubernetes.io/reserved-for=platform
kubectl taint node kind-worker2 node-restriction.kubernetes.io/reserved-for=platform:NoExecute (Does not automatically trigger the re-scheduling of approver-policy Pod 2)
$ kubectl drain kind-worker --ignore-daemonsets --delete-emptydir-data
node/kind-worker already cordoned
Warning: ignoring DaemonSet-managed Pods: kube-system/kindnet-pw4rl, kube-system/kube-proxy-lf94r
evicting pod venafi/cert-manager-approver-policy-78bdd57987-zkqn4
evicting pod venafi/cert-manager-approver-policy-78bdd57987-ps2jh
error when evicting pods/"cert-manager-approver-policy-78bdd57987-zkqn4" -n "venafi" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.
pod/cert-manager-approver-policy-78bdd57987-ps2jh evicted
evicting pod venafi/cert-manager-approver-policy-78bdd57987-zkqn4
error when evicting pods/"cert-manager-approver-policy-78bdd57987-zkqn4" -n "venafi" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.
evicting pod venafi/cert-manager-approver-policy-78bdd57987-zkqn4
error when evicting pods/"cert-manager-approver-policy-78bdd57987-zkqn4" -n "venafi" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.
evicting pod venafi/cert-manager-approver-policy-78bdd57987-zkqn4
pod/cert-manager-approver-policy-78bdd57987-zkqn4 evicted
node/kind-worker drained
$ kubectl get pods -n venafi -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
cert-manager-approver-policy-78bdd57987-c9xdw 1/1 Running 0 12m 10.244.1.2 kind-worker2 <none> <none>
cert-manager-approver-policy-78bdd57987-v62wp 1/1 Running 0 12m 10.244.1.3 kind-worker2 <none> <none> |
/unhold |
The platform-engineer who deploys approver-policy using the Helm chart wants to avoid disruption of the approver-policy service when draining a node, for example.
They can use the following values.yaml to achieve this:
Testing
Without enabling PDB
With PodDisruptionBudget enabled